Iran vs. You: Part II
I recently wrote about the threat from the Government of Iran (GOI) using cyber attacks on the United States, and it’s clear that struck a nerve with so many. As heated of a topic as it currently is, it’s only going to get worse. We know the Iranians are angry about the assassination of their number two guy in their government, motivating them to take action. We also know they have the means to induce great harm, considering since 2007 they have invested heavily in their cyber-hacking and espionage capabilities. Do they have the courage or nerve to make a direct strike against the United States? I personally do not think so.
However, in the world of actual terrorism, Iran rarely does their dirty work on their own.
Instead, they employ a system of proxies. This means they provide the tools and funding to outside groups to do their dirty work so they can deny actual involvement.
When I was handling computer intrusion threats for the FBI, we always spoke about attribution being the hardest thing to prove. It was extremely challenging to prove who was behind the keyboard of the computer that caused an attack. I hear people talking about “hacking back” and causing damage against the computer who attacked their organization. Well that sounds great in theory, but here’s a look into a hypothetical situation.
Let’s say threat actors gain unauthorized access to a building’s HVAC and elevator systems, shutting both down. This happens during the heat of summer to a large building in the southern United States. As a result, 20 people are stuck in elevators for a few hours and one dies as a result of a heart attack. Now we have someone who died as a result of this cyber attack. We all believe this was done by the GOI. This is not a complicated attack, unlike the ones you hear of on the news that involves tens of hundreds of thousands of people. Not only is this situation much more plausible, it’s devastating because it can happen way more frequently.
So Law Enforcement gets involved, and the local United States Attorney’s Office promises to prosecute the individuals responsible for this horrible deed. A forensics examination of the company’s computer network shows the threat actor logged into the building’s control system from an IP address in a country in the Asia Pacfic Region.
If all it took was a username and password to gain access to the buildings control system, then there is a major problem.
Think about the Ring Doorbell. If a criminals stole the password to your security system and logged in- well, you know have a remote instruder in your home. Creepy.
Luckily, the FBI deploys Special Agents all over the world as part of the FBI’s Legal Attache Program known as Legats. Many of these agents are Cyber Agents who handle computer intrusion matters. In the past decade the FBI has beefed up their overseas Cyber Program. They receive a priority lead which means they will get awakened in the middle of the night and spring into action. In this hypothetical situation, this country has a great working relationship with the FBI; however, they have strict privacy laws and they require a mutual legal assistance treaty (MLAT) from the US Government before they will turn things over. MLATS take time to obtain, but let’s just say due to the heightened priority of this matter they turn over the information and discover the computer in question which gained unauthorized access was a compromised computer.
A forensic examination of the compromised computer discovers this computer was used as a proxy and the actual log in came from a country in South America. At this point the FBI’s assets in South America jump in action and from there they discover that computer was also a proxy and the point of entry came from a computer in Africa and then it bounces somewhere in Europe.
So what happens when it bounces to a computer in a country in which the United States does not have a great working relationship?
So often when I speak about Cybercrime Prevention I use something I call The Four Truths:
- Nobody ever expects to be a victim. Did this organization or any others think their HVAC or Elevator System would be compromised?
- When the bad guys steal your stuff it’s very difficult to recover. This is different because the bad guys didn’t steal anything. They just caused damage and in this hypothetical situation- a murder.
- The chances of bringing the bad guys to justice is challenging. As I said- proving who did it is hard and even if we can bring this threat actor to justice it won’t bring back the person who died.
- A majority of Cybercrime could have been prevented. Remember in this hypothetical situation all the threat actor did was steal the username and password to the building control system.
I think by now you get the picture. Our government’s intelligence community might be able to pinpoint who the bad guy is, but it takes time. A lot of time that some people don’t have. Iran might be gearing up for cyberwar but we’re ready. Are you doing your part to prepare for any mishap on the cyberspace frontlines? Just remember- your best defense starts with YOU!